The present invention relates generally to computer systems, and, more particularly, to a system and method for implementing a streams based network access control for a computer.
Modern computer systems perform a variety of processing and communication tasks. For example, computers execute application programs such as word processing programs, scheduling programs, design programs, etc. Computers are also used to connect to other computers in order to exchange information. For example, a computer may execute a program that enables the computer to access information stored on other computers. In another example, a computer may execute what is referred to as a xe2x80x9cweb browserxe2x80x9d program in order to access the Internet. The web browser is an application program, similar to that described above, that enables the computer to navigate through the Internet.
When a computer starts an application program, the computer creates what is referred to as a xe2x80x9cprocessxe2x80x9d corresponding to the program. The process contains an instance of the application program and a number of attributes that associate the process to the computer user and to other elements associated with the process. For each instance of the program, another process is invoked. Multiple programs having corresponding processes may operate on a computer simultaneously. Furthermore, one application program may have multiple processes running at the same time.
Some processes, such as, for example but not limited to, a word processing program, may interact with files that are stored on the computer that is executing the process, and also may interact with other computers over a network. The network may be a local area network (LAN) or a wide area network (WAN). Such networks allow multiple computers to communicate with each other.
Typically, each process and each file includes a set of attributes, which may determine, for example, access control. For example, a process executing on a computer has a set of attributes assigned, which may determine whether it may access a particular file, which also includes a (generally) different set of attributes. Some of the attributes assigned to the file define the required set of attributes that a process must have in order to access the file. For example in the UNIX operating system, each file includes permission attributes, which specify the owner, group and world (everyone) access to the file. If the file attributes specify that a particular group has xe2x80x9creadxe2x80x9d and xe2x80x9cwritexe2x80x9d access, but not xe2x80x9cexecutexe2x80x9d access, a process possessing that group in its attribute set will only be able to read and write to the file, but not execute it.
When a process that is executing on a computer wishes to communicate with another computer over a network, the process typically sends and receives messages through a network interface card (NIC) associated with the computer. The NIC connects the computer to a network, to which the other computer is also attached through its own associated NIC.
In some current computer systems, a process executing on a computer has access to and can use all the NICs on the computer. Unfortunately, there is no way to restrict access of a process executing on a computer to one or a set of NICs (and therefore the network to which the NIC is connected) and associated computers.
Thus, a heretofore unaddressed need exists in the industry to address the aforementioned deficiencies and inadequacies.
The invention provides a system and method for implementing a streams based network access control for a computer. The invention may be conceptualized as a streams based network access control system that includes a software process operating on a computer and having a network endpoint attribute. The software process is configured to communicate a packet through a streams-based network protocol stack to a network interface card that includes an interface attribute. A session filter module and a network filter module are in communication with the network protocol stack. A table of network attributes, associated with the session filter module and network filter module, compares the network endpoint attribute with the interface attribute in the table of network attributes to determine whether the software process can access the network interface card.
The invention may also be conceptualized as a method for a streams based network access control system, the method comprising the steps of: (1) operating a software process, that includes a network endpoint attribute, on a computer; (2) communicating packets through a network protocol stack to a network interface card, where the network interface card includes an interface attribute; (3) establishing an association between the network endpoint attribute and the interface attribute; (4) placing the network endpoint attribute and the interface attribute in a table; (5) comparing the network endpoint attribute with the interface attribute; and (6) determining whether the software process can access the network interface card.